b'OFFICE OF INSPECTOR GENERAL\n                    Audit Report\n\n    Inspection of the Railroad Retirement Board\xe2\x80\x99s\nAgency Enterprise General Information Support System\n           Certification and Accreditation\n\n\n       This abstract summarizes the results of the subject audit. The\n       full report includes information protected from disclosure and\n       has been designated for limited distribution pursuant to\n       5 U.S.C. \xc2\xa7 552\n\n\n\n\n                     Report No. 11-10\n                    September 28, 2011\n\n\n\n\n  RAILROAD RETIREMENT BOARD\n\x0c                                  REPORT ABSTRACT\n       Inspection of the Railroad Retirement Board\xe2\x80\x99s Agency Enterprise General\n             Information Support System Certification and Accreditation\n\n\nThe Office of Inspector General (OIG) of the Railroad Retirement Board (RRB)\nconducted an inspection to determine whether the activities conducted at the RRB for\nthe certification and accreditation of the Agency Enterprise General Information Support\nSystem (AEGIS) comply with existing policy, procedures, guidance, and standards.\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires agencies\nto establish and maintain an agency wide security management program that includes\ntesting of security controls with a frequency that is no less than annually. In addition to\ntesting security controls, an agency official must authorize the system for processing.\nThis authorization must be in writing and must occur at least every three years. In fiscal\nyear (FY) 2010, RRB hired a contractor to conduct a certification and accreditation,\ncurrently referred to as a system authorization, for AEGIS.\n\nIn a separately issued Restricted Distribution report, we communicated that the\nactivities conducted at RRB for the certification and accreditation do not fully comply\nwith existing policy, procedures, guidance, and standards. In our FY 2009 FISMA\nreport, the OIG cited the RRB with a significant deficiency in internal control over the\ncertification and accreditation process because of an ineffective review process for\ncontractor deliverables. Our inspection found that the internal control structure over the\ncertification and accreditation process is still a significant deficiency. We made three\nrecommendations to RRB management:\n\n   \xe2\x80\xa2    to develop a comprehensive review process that includes a comparison of the\n        documents for consistency and verification that all of the requirements for\n        applicable controls are adequately addressed;\n   \xe2\x80\xa2    to review prior plan of action and milestones (POAM) items and update the\n        current agency wide POAM to include all outstanding weaknesses for the AEGIS\n        system; and\n   \xe2\x80\xa2    to develop and implement detailed POAM procedures for maintaining the\n        information necessary to allow independent verification and validation of POAM\n        closures, and for tracking of agency corrective action by the Chief Information\n        Officer.\n\nAgency Management has agreed to take corrective actions for all recommendations.\n\x0c'